NTFS Permissions - Best way to stop people creating crap in root of drive?

Could I pick peoples brains on how they implement NTFS permissions so that for a shared folder, a group can't create random folders or files in the base of that folder, but can read/modify any files and folders on that share?

So you might have a root with subfolders of:

Folder A Folder B Folder C

And you want everyone to have access to read and write what's in the three subfolders but you don't want random Joe to be able to create

Folder D or Document.doc

In the root. I can think of a few ways to do it but I'm not really sure which is the best practise/recommended way?

That's the way I've done it previously, I use a "List" group which I use Advanced Security to allow list on "This Folder Only" and then I add the Read/Write group on each folder - pain in the ass when there are lots of folders though which got me wondering if there was a simpler way.

Re-org the folder structure so you have fewer folders at the top level... We have 1 folder for each dept at the root, and they can do what ever they want under that, but the root stays clean (and with ABE, even cleaner...)

This is a pretty common setup. No need to break inheritance on the subfolders of the share root, which would permanently force you to separately maintain permissions for every top level folder the sysadmin folks may need to create in that share in the future.

Unless you want full access granted to the subfolders, in which case you can set permissions for this group to "Full control", but the important bit is this:Apply to: Subfolders and files only (not This folder, subfolders, and files)this setting is what will propagate the modify or full control permissions to subfolders and files while not touching the share root with this permission.---Then set "Replace all child object permissions with inheritable permissions from this object."

Then all you have to do is put your special users who should be allowed to create folders in the root of the share in ShareGroup_FULL and put everyone else in ShareGroup_DIR and Sharegroup_MODIFY. You won't have to touch the permissions here again and from then on, any new subfolders created by users in the ShareGroup_FULL group at the root will be permissioned correctly by default.

This is a pretty common setup. No need to break inheritance on the subfolders of the share root, which would permanently force you to separately maintain permissions for every top level folder the sysadmin folks may need to create in that share in the future.

Unless you want full access granted to the subfolders, in which case you can set permissions for this group to "Full control", but the important bit is this:Apply to: Subfolders and files only (not This folder, subfolders, and files)this setting is what will propagate the modify or full control permissions to subfolders and files while not touching the share root with this permission.---Then set "Replace all child object permissions with inheritable permissions from this object."

Then all you have to do is put your special users who should be allowed to create folders in the root of the share in ShareGroup_FULL and put everyone else in ShareGroup_DIR and Sharegroup_MODIFY. You won't have to touch the permissions here again and from then on, any new subfolders created by users in the ShareGroup_FULL group at the root will be permissioned correctly by default.

I like this approach; can't quite figure out why I hadn't thought to do this before.

Just to say this is exactly how I ended up doing it so thank you for the pointer. I'm not a fan of "Special" permissions unless I have to as I always find it tricky to look back and work out exactly what someone can do via the advanced properties, but in terms of ease of putting it in place this won hands down.

Glad it helped. You're right in that it's annoying to have to drill down into it to see what exactly the special permissions are, especially with all the extra clicks one has to do to get into the advanced permissions since the 2008R2/Vista/7 implementations of the dialogs.

I hate to be a thread necro and Debbie Downer all in one but I don't think the above permissions would work, unless I understand the intent incorrectly.

The problem is with any subfolders. Let's say C:\Share\Folder1ShareGroup_MODIFY gets (among other permissions) the following permissions for each folder under C:\Share:Delete

So they could delete any of the subfolders under Share, including C:\Share\Folder1.They couldn't *create* anything under C:\Share, but they sure could *delete* anything under C:\Share

I think you'd want to give them permissions to Delete Subfolders and files but NOT "Delete" and as you said apply to Subfolders and files only. That way the Delete permission doesn't extend to the C:\Share\Folder1 attributes but would extend to anything below C:\Share\Folder1 the user created.

I'm wondering that myself, I'm just starting looking into replacing the giant clusterfuck of a file server here and I'm trying to figure out how to best apply permissions and build the folder structure.

I need to have that group traverse through to directory 3, but not be able to traverse to subdirectories in directory 2 or 1. I don't want them to be able to access any data there. If I do advanced permissions for group Traverse on root to Traverse "this folder only" on Directory1 my test user can get into directory1, but no other subfolders -good. Except when I add the traversal to directory2, they still cannot access directory2 and they need to be able to.

Subfolders and files only: All except for Full Control, Delete, Change Permissions, Take Ownership.

I know that this works very well (I spent a long time figuring this out with a test file and folder structure).With these permissions, users will be able to have modify access from all subfolders and files within the root, but will not be able to create or delete any level 2 subfolder. They will not be able to create any files at level 2. They will also not be able to accidentally drag a level 2 folder into another level 2 folder.

The key difference is unchecking the "Delete" allow permission rather than the "Delete Subfolders and files" allow permission.

If you do not allow them the "Delete Subfolders and files" permission, they will not be able to delete any file in the whole structure. This may not be a bad thing, but it also does not allow users to delete any temp hidden file that is created when opening an Office application files.

I need to have that group traverse through to directory 3, but not be able to traverse to subdirectories in directory 2 or 1. I don't want them to be able to access any data there. If I do advanced permissions for group Traverse on root to Traverse "this folder only" on Directory1 my test user can get into directory1, but no other subfolders -good. Except when I add the traversal to directory2, they still cannot access directory2 and they need to be able to.

Any hints on this?

These are my suggestions:1. Consider moving Directory 3 to a different location (higher up)

2. Just have the users map a drive direct to "directory3"

If you really want to persist with permissions you will have break inheritance on all next level folders of "directory1" except for "directory2". Then apply Traverse permissions on "directory1" to "This Folder and Subfolders".

Whatever ancient graybeard wrote the batch utility we use to lock out folders has long since passed to the WHITE and no longer treads where mortal IT folk toil.

I will see if I can pass on the runes he left behind. None here can decipher this magic speech. Perhaps there lurks one here who knows the tongue of the ancients and can pass their wisdoms and knowledge.

Seriously, we have a menu driven utility that creates project folders in the root of our share. Sub folders specific to the client and project type.

The root share is read only. The project folder is read only. The client/project specific folders are open for authenticated users to modify.

This is a pretty common setup. No need to break inheritance on the subfolders of the share root, which would permanently force you to separately maintain permissions for every top level folder the sysadmin folks may need to create in that share in the future.

Unless you want full access granted to the subfolders, in which case you can set permissions for this group to "Full control", but the important bit is this:Apply to: Subfolders and files only (not This folder, subfolders, and files)this setting is what will propagate the modify or full control permissions to subfolders and files while not touching the share root with this permission.---Then set "Replace all child object permissions with inheritable permissions from this object."

Then all you have to do is put your special users who should be allowed to create folders in the root of the share in ShareGroup_FULL and put everyone else in ShareGroup_DIR and Sharegroup_MODIFY. You won't have to touch the permissions here again and from then on, any new subfolders created by users in the ShareGroup_FULL group at the root will be permissioned correctly by default.

I like this approach; can't quite figure out why I hadn't thought to do this before.

HI,

I like that idea but if we have few folders under root share Ex:

Finance - ( Add F-Full/F-DIR/F-Modify group) AP AR PayRoll

I also need Payroll admin to create sub folders on this folder? also only access by payroll users (Pay-Full). how do i setup?